Securing programmatic access
How API keys, webhooks, and AI connections are scoped and kept in check.
3 min read · Updated June 28, 2026
When you connect Stoatify to your own tools, every path in is scoped and revocable, so automation never becomes a way around your permissions.


API keys
- Every API key is scoped to specific objects and actions, and capped by your own role: a key can never do more than you can.
- Keys are stored hashed, shown once, and can be rotated or revoked any time.
- Keys can't manage other keys (that's session-only), so a leaked key can't mint more.
- A key gets no owner shortcuts on restricted items; it's held to exactly its granted access.
Webhooks and intake
- Outbound webhooks and URL imports are guarded against internal-network requests (SSRF), so they can't be aimed at private addresses.
- Webhook payloads carry event metadata, not document contents.
Good to know
AI assistants connect over MCP with scoped, short-lived, revocable access: they can never see what you can't, and access stops the instant you revoke it.
Tip
Give each integration its own key with the narrowest scope it needs, and rotate on a schedule.
Was this article helpful?